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Preface  &  Acknowledgements 


Welcome  to  our  Tenth  Annual  Acquisition  Research  Symposium!  We  regret  that  this 
year  it  will  be  a  “paper  only”  event.  The  double  whammy  of  sequestration  and  a  continuing 
resolution,  with  the  attendant  restrictions  on  travel  and  conferences,  created  too  much 
uncertainty  to  properly  stage  the  event.  We  will  miss  the  dialogue  with  our  acquisition 
colleagues  and  the  opportunity  for  all  our  researchers  to  present  their  work.  However,  we 
intend  to  simulate  the  symposium  as  best  we  can,  and  these  Proceedings  present  an 
opportunity  for  the  papers  to  be  published  just  as  if  they  had  been  delivered.  In  any  case,  we 
will  have  a  rich  store  of  papers  to  draw  from  for  next  year’s  event  scheduled  for  May  14-15, 
2014! 


Despite  these  temporary  setbacks,  our  Acquisition  Research  Program  (ARP)  here  at 
the  Naval  Postgraduate  School  (NPS)  continues  at  a  normal  pace.  Since  the  ARP’s 
founding  in  2003,  over  1 ,200  original  research  reports  have  been  added  to  the  acquisition 
body  of  knowledge.  We  continue  to  add  to  that  library,  located  online  at 
www.acquisitionresearch.net,  at  a  rate  of  roughly  140  reports  per  year.  This  activity  has 
engaged  researchers  at  over  70  universities  and  other  institutions,  greatly  enhancing  the 
diversity  of  thought  brought  to  bear  on  the  business  activities  of  the  DoD. 

We  generate  this  level  of  activity  in  three  ways.  First,  we  solicit  research  topics  from 
academia  and  other  institutions  through  an  annual  Broad  Agency  Announcement, 
sponsored  by  the  USD(AT&L).  Second,  we  issue  an  annual  internal  call  for  proposals  to 
seek  NPS  faculty  research  supporting  the  interests  of  our  program  sponsors.  Finally,  we 
serve  as  a  “broker”  to  market  specific  research  topics  identified  by  our  sponsors  to  NPS 
graduate  students.  This  three-pronged  approach  provides  for  a  rich  and  broad  diversity  of 
scholarly  rigor  mixed  with  a  good  blend  of  practitioner  experience  in  the  field  of  acquisition. 
We  are  grateful  to  those  of  you  who  have  contributed  to  our  research  program  in  the  past 
and  encourage  your  future  participation. 

Unfortunately,  what  will  be  missing  this  year  is  the  active  participation  and 
networking  that  has  been  the  hallmark  of  previous  symposia.  By  purposely  limiting 
attendance  to  350  people,  we  encourage  just  that.  This  forum  remains  unique  in  its  effort  to 
bring  scholars  and  practitioners  together  around  acquisition  research  that  is  both  relevant  in 
application  and  rigorous  in  method.  It  provides  the  opportunity  to  interact  with  many  top  DoD 
acquisition  officials  and  acquisition  researchers.  We  encourage  dialogue  both  in  the  formal 
panel  sessions  and  in  the  many  opportunities  we  make  available  at  meals,  breaks,  and  the 
day-ending  socials.  Many  of  our  researchers  use  these  occasions  to  establish  new  teaming 
arrangements  for  future  research  work.  Despite  the  fact  that  we  will  not  be  gathered 
together  to  reap  the  above-listed  benefits,  the  ARP  will  endeavor  to  stimulate  this  dialogue 
through  various  means  throughout  the  year  as  we  interact  with  our  researchers  and  DoD 
officials. 

Affordability  remains  a  major  focus  in  the  DoD  acquisition  world  and  will  no  doubt  get 
even  more  attention  as  the  sequestration  outcomes  unfold.  It  is  a  central  tenet  of  the  DoD’s 
Better  Buying  Power  initiatives,  which  continue  to  evolve  as  the  DoD  finds  which  of  them 
work  and  which  do  not.  This  suggests  that  research  with  a  focus  on  affordability  will  be  of 
great  interest  to  the  DoD  leadership  in  the  year  to  come.  Whether  you’re  a  practitioner  or 
scholar,  we  invite  you  to  participate  in  that  research. 

We  gratefully  acknowledge  the  ongoing  support  and  leadership  of  our  sponsors, 
whose  foresight  and  vision  have  assured  the  continuing  success  of  the  ARP: 
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•  Office  of  the  Under  Secretary  of  Defense  (Acquisition,  Technology,  & 
Logistics) 

•  Director,  Acquisition  Career  Management,  ASN  (RD&A) 

•  Program  Executive  Officer,  SHIPS 

•  Commander,  Naval  Sea  Systems  Command 

•  Program  Executive  Officer,  Integrated  Warfare  Systems 

•  Army  Contracting  Command,  U.S.  Army  Materiel  Command 

•  Office  of  the  Assistant  Secretary  of  the  Air  Force  (Acquisition) 

•  Office  of  the  Assistant  Secretary  of  the  Army  (Acquisition,  Logistics,  & 
Technology) 

•  Deputy  Director,  Acquisition  Career  Management,  U.S.  Army 

•  Office  of  Procurement  and  Assistance  Management  Headquarters, 
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Evaluation 
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Abstract 

We  present  results  from  our  ongoing  investigation  of  how  best  to  acquire  secure  open 
architecture  (OA)  software  systems.  These  systems  incorporate  software  product  line  (SPL) 
practices  that  include  closed  source  proprietary  software  and  open  source  software  (OSS) 
components,  where  such  components  and  overall  system  configurations  are  subject  to 
different  security  requirements.  The  combination  of  SPLs  and  OSS  components  within  secure 
OA  systems  represents  a  significant  opportunity  for  reducing  the  acquisition  costs  of 
software-intensive  systems.  We  seek  to  make  this  a  simpler,  more  transparent,  and  more 
tractable  process.  Such  a  process  must  be  easy  to  reuse,  adapt,  and  streamline  for  different 
system  application  domains  in  order  to  realize  cost  reductions  and  improve  acquisition 
workforce  capabilities.  Further,  such  a  process  should  be  aligned  with  Better  Buying  Power 
initiatives  addressing  OA  systems,  improved  competition,  defense  affordability,  and 
acquisition  workforce  improvements.  We  identify  different  ways  and  means  for  how  to 
streamline  the  acquisition  process  for  secure  OA  software  systems  through  a  focus  on  doing 
more  with  limited  resources.  Along  the  way,  we  pay  particular  attention  to  revealing  how 
software  licensing  practices  can  affect  cost  in  ways  that  hamper  or  better  the  buying  power  of 
acquisition  programs. 

Introduction 

Our  focus  in  this  effort  is  to  identify  ways  and  means  for  streamlining  the  acquisition 
process  for  secure  open  architecture  (OA)  systems.  These  OA  systems  often  rely  on  the 
integration  of  components  that  are  independently  developed  by  different  software  producers 
and  made  available  as  either  open  source  software  (OSS)  or  proprietary  closed  source 
software  executables.  Program  managers,  acquisition  officers,  and  contract  managers  will 
increasingly  be  called  on  to  review  and  approve  security  measures  employed  during  the 
design,  implementation,  and  deployment  of  OA  systems  (Department  of  Defense  [DoD] 

Open  System  Architecture  [OSA],  201 1 ).  Our  effort  builds  on  both  our  prior  acquisition 
research  (e.g.,  Scacchi  &  Alspaugh,  2008,  2011, 2012a)  and  related  acquisition  research 
efforts  at  the  Program  Executive  Office  (PEO)  Integrated  Warfare  Systems  (IWS;  Guertin  & 
Clements,  2010;  Guertin  &  Womble,  2012;  Womble,  Schmidt,  Arendt,  &  Fain,  2011),  the 
Department  of  the  Navy  (Mactal  &  Spruill,  2012),  and  the  Software  Engineering  Institute 
(SEI)  that  address  software  product  lines  (SPLs;  Bergey  &  Jones,  2010;  Jones  &  Bergey, 
2011;  Northrop  &  Clements,  2007).  It  is  also  influenced  by  related  research  in  the  DoD 
community  addressing  OSS  (Defense  Information  Systems  Agency  [DISA],  2012;  Hissam, 
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Weinstock,  &  Bass,  2010;  Kenyon,  2012;  Martin  &  Lippold,  2011],  component-based 
software  ecosystems  (Scacchi  &  Alspaugh,  2012b;  Reed,  Benito,  Collens,  &  Stein,  2012), 
and  Better  Buying  Power  (BBP)  initiatives  (Defense  Acquisition  University  [DAU],  2012). 

OSS  represents  an  integrated  web  of  people,  processes,  and  organizations, 
including  project  teams  operating  as  virtual  organizations  (Scacchi,  2007,  2009,  2010). 

There  is  a  basic  need  to  understand  how  to  identify  an  optimal  mix  of  OSS  within  OA 
systems  as  products,  production  processes,  practices,  community  activities,  and  multi¬ 
project  (or  multi-organization)  software  ecosystems.  However,  the  relationship  among  OA, 
OSS,  security  requirements,  and  acquisition  is  poorly  understood  [cf.  Scacchi,  2009,  2010; 
Scacchi  &  Alspaugh,  2011, 2012b;  Naegle  &  Petross,  2007],  Subsequently,  from  2007- 
2008,  we  began  by  examining  how  different  OSS  licenses  can  encumber  software  systems 
with  OA,  which  therefore  give  rise  to  new  requirements  for  how  best  to  acquire  software¬ 
intensive  systems  with  OA  and  OSS  elements  (Scacchi  &  Alspaugh,  2008). 

As  a  result  of  our  recent  acquisition  research  efforts,  we  have  been  able  to 
demonstrate  that  it  is  both  possible  and  feasible  to  develop  OA  systems  that  incorporate 
best-of-breed  software  components,  whether  proprietary  or  OSS,  in  ways  that  can  reduce 
the  initial  and  sustaining  acquisition  costs  of  such  systems. 

We  believe  that  such  results  are  applicable  to  both  enterprise  information  systems, 
which  are  widespread  throughout  the  DoD  and  the  U.S.  government,  as  well  as  command 
and  control  (C2;  e.g.,  Reed  et  al.,  2012;  Scacchi,  Brown,  &  Nies,  2012;  Scacchi  &  Alspaugh, 
2013b)  and  other  defense  systems.  Doing  so,  however,  requires  new  guidance,  and  ideally 
automated  tools,  for  explicitly  modeling  and  analyzing  the  architecture  of  an  OA  system 
during  its  development  and  evolution,  along  with  modeling  and  annotating  the  architecture 
with  software  component  license  rights  and  obligations.  Our  results  thus  demonstrate  a 
major  technological  advance  in  the  acquisition  and  development  of  OA  systems,  as  a 
breakthrough  in  simplifying  software  license  analyses  throughout  the  contracting  activities. 
Creating  similar  advances  for  streamlining  the  acquisition  process,  while  reducing  the  costs 
of  secure  OA  systems,  is  the  next  breakthrough  that  is  needed. 

In  this  paper,  we  describe  ways  and  means  for  how  to  articulate,  tailor,  and 
streamline  the  process  for  how  to  simply  and  transparently  specify  and  assess  OA  system 
security  when  acquiring  different  kinds  of  OA  systems,  and  to  do  so  in  ways  that  highlight 
opportunities  for  cost  reduction  through  system  security  requirements  specification  and  OA 
system  acquisition  process  streamlining.  We  provide  examples  of  complex  software 
elements  that  are  applicable  to  many  kinds  of  software-intensive  systems  within  the  DoD  as 
well  as  within  other  government  agencies  and  industrial  firms.  But  we  start  in  the  next 
section  by  reiterating  BBP  principles  and  initiatives  that  guide  this  research  by  focusing  on 
how  to  promote  competition  in  the  acquisition  and  development  of  secure  OA  systems. 

Open  Architecture  and  Better  Buying  Power 

BBP  (see  http://bbp.dau.mil/)  is  part  of  the  DoD’s  mandate  to  do  more  without  more 
by  implementing  best  practices  in  acquisition.  BBP  identifies  seven  areas  of  focus  that  group 
a  larger  set  of  36  initiatives  that  offer  the  potential  to  restore  affordability  in  defense 
procurement  and  improve  defense  industry  productivity.  One  of  the  seven  areas  focuses  on 
promoting  competition,  and  this  area  includes  an  initiative  to  “enforce  open  system 
architectures  and  effectively  manage  technical  data  rights”  (DAU,  2012).  Technical  data 
rights  pertain  to  two  categories  of  intellectual  property  (IP):  they  refer  to  the  government’s 
rights  to  (a)  technical  data  (TD;  e.g.,  product  design  data,  computer  databases,  computer 
software  documentation)  and  (b)  computer  software  (CS;  e.g.,  source  code,  executable 
code,  design  details,  processes,  and  related  materials).  These  rights  are  realized  through  IP 
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licenses  provided  by  system  product  or  service  providers  (e.g.,  software  producers)  to  the 
government  customer,  so  long  as  the  customer  fulfills  the  obligations  stipulated  in  the 
license  agreement  (e.g.,  to  indicate  how  many  software  users  are  authorized  to  use  the 
licensed  product  or  service  according  to  a  fee  paid).  As  already  noted,  our  acquisition 
research  has  focused  on  issues  addressing  OA  systems  and  IP  licenses  since  2008 
(Scacchi  &  Alspaugh,  2008). 

OA  software  systems  offer  the  potential  to  improve  acquisition  by  providing  new 
ways  and  means  to  acquire,  develop,  deploy,  and  sustain  software-intensive  systems. 

These  new  ways  and  means  in  turn  may  transform  how  the  DoD  acquires  complex  systems 
by  moving  away  from  long-duration,  proprietary  (closed)  system  architecture,  and  the 
difficult-to-control  cost  of  system  development  efforts,  towards  systems  that  may  be  more 
rapidly  assembled/integrated  in  an  OA  manner  with  more  transparent  costs.  Such  a 
transformation  may  in  turn  reduce  vendor  lock-ins  that  oftentimes  are  associated  with  rising 
costs  to  sustained  deployed  systems  that  are  inaccessible  to  competing  vendors.  So  closed 
architecture  legacy  systems  are  often  subject  to  IP  licenses  whose  consequence  is  to 
reduce  competition  while  increasing  system  sustainability  costs.  Our  research  on  OA 
systems  dating  many  years  back  (Scacchi  &  Alspaugh,  2008)  has  consistently  been  aligned 
with  efforts  for  improving  competition  in  software  system  development  and  evolution  through 
an  investigation  of  innovative  ways  and  means  to  acquire/develop  component-based  OA 
software  systems  that  are  subject  to  diverse,  heterogeneous  IP  licenses  (Alspaugh, 

Scacchi,  &  Asuncion,  2010).  But  there  is  more  to  do  to  improve  competition  and  defense 
affordability  while  effectively  managing  technical  data  rights  when  addressing  the  acquisition 
of  secure  OA  systems.  In  particular,  this  includes  understanding  that  the  processes  for 
acquiring  such  systems  are  facilitated  or  constrained  in  light  of  overall  BBP  guidance  and 
best  practices  as  well  as  how  best  to  improve  and  streamline  these  processes.  These  topics 
are  our  focus  in  the  remainder  of  this  paper. 

How  Better  Buying  Power  Impacts  the  Processes  for  Acquiring  OA  Systems 

The  move  to  OA  systems  represents  a  transition  from  the  acquisition  of  monolithic 
systems  to  the  acquisition  of  reusable  system  components  that  can  be  integrated  to  realize 
different  configurations  of  a  software  product  family  for  a  specific  application  domain 
(Bergey  &  Jones,  2010;  Guertin  &  Clements,  2010;  Jones  &  Bergey,  2011;  Reed  et  al., 

2012;  Scacchi  &  Alspaugh,  2012b;  Northrop  &  Clements,  2007;  Womble  et  al.,  2011).  These 
components  are  acquired  within  a  software  ecosystem  that  is  evolving  towards  component 
provisioning  within  open  repositories,  where  components  from  different  producers  are 
available  for  selection,  evaluation,  and  system  integration  (Guertin  &  Womble,  2012;  Martin 
&  Lippold,  2011;  Reed  etal.,  2012;  Scacchi,  2007;  Scacchi  &  Alspaugh,  2012a,  2013b). 
Figure  1  provides  a  graphic  view  of  how  such  an  ecosystem  spans  from  a  sample  of 
software  producers  and  components  through  system  integrators  to  software 
consumers/users. 
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Figure  1.  A  Sample  Software  Ecosystem  of  Producers,  Components, 
Integrators,  Alternative  OA  Systems,  and  Consumers/Users 

(Scacchi  &  Alspaugh,  2012b) 

Figure  2  provides  a  view  of  a  sample  of  lightweight  software  components  (“widgets” 
targeted  for  software  developers  or  integrators  in  this  example)  for  download  and  installation 
within  a  Web  browser.  These  widgets,  made  by  different  producers,  are  available  for 
acquisition  from  Google’s  Chrome  Web  Store. 
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Figure  2.  A  Sample  View  of  Lightweight  Software  Components  (“Widgets”)  That  Can  Be 
Readily  Acquired  for  Evaluation  or  Integration  From  Google’s  Chrome  Web 

Store 


Such  an  online  store  serves  as  a  marketplace  that  provides  access  to  ready-to-run, 
closed  source  software  executables  from  within  an  online  software  repository  that  can  be 
navigated  using  the  menu  on  the  left  side,  browsed  by  scrolling,  or  accessed  by  entry  of  a 
search  term/phrase  in  the  upper-left  corner  (see  Figure  2). 

Software  components  in  an  online  marketplace  like  this  are  rated  or  recommended 
by  other  consumers,  but  the  IP  licenses  for  the  TD  and  CS  are  hidden  away  with  each 
component  and  may  be  challenging  to  locate  prior  to  installation.  Google  Play  for  Android 
Apps  and  the  Apple  App  Store  also  offer  software  (widget)  components  for  their  respective 
computing  platforms  (Android  and  iPhone  smartphones,  or  Nexus  and  iPad  mobile  tablet 
computers). 

Figure  3  provides  a  view  of  a  different  online  repository  that  exclusively  features  OSS 
components  found  at  SourceForge.net  (similar  to  Forge.mil  [DISA,  2012;  Martin  &  Lippold, 
2011]),  where  the  IP  licenses  for  each  software  component  are  prominently  displayed  when 
one  selects  to  look  more  closely  into  the  details  and  development  status  of  a  component  of 
interest.  In  contrast  to  the  Web-browser-specific  software  widgets  available  at  the  Chrome 
Web  Store,  the  OSS  components  at  SourceForge.net  represent  more  substantial, 
production-oriented  software  tools  or  utilities  that  can  operate  as  stand-alone  application 
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programs.  Forge.mil  may  be  envisioned  to  provide  support  for  accessing  pre-tested  and 
certified  software  components,  whether  lightweight  widgets  or  more  substantial  application 
systems,  in  OSS  code  and  ready-to-run  executable  forms  with  technical  data  rights 
designed  for  government  purposes.  Thus  overall,  what  we  see  is  that  if  we  want  to  improve 
competition  through  the  acquisition  of  component-based  software  systems,  our  choice  of 
which  online  repository  or  marketplace  to  use  leads  to  different  kinds  of  software 
components  with  different  IP  license  schemes. 


Figure  3.  Sample  of  OSS  Security/Utility  Components  Found  at  SourceForge.net 

Next,  we  encounter  challenges  in  the  development  of  integrated  OA  systems  that  are 
configured  from  different  software  components.  Figure  4  provides  a  visual  representation 
showing  that  different  software  producers  can  develop  different  kinds  of  software 
components  (small,  medium,  or  large  size/capability),  which  system  integrators  can  select 
from  in  order  to  create  an  OA  system  product  line  of  alternative  component  configurations. 
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Figure  4.  A  Component-Based  Software  Ecosystem  That  Configures  a  Product  Line  of 
Four  Alternative  System  Configurations,  Conforming  to  an  OA  System  Design 

in  Figure  5 

Figure  5  shows  a  simple  OA  system  design  that  accommodates  alternative  software 
components  as  applications  or  infrastructure  elements  that  may  be  subject  to  OSS  or 
proprietary  licenses.  The  applications  (“apps”)  may  include  small,  proprietary,  and 
lightweight  browser  widgets  or  large  components  like  OSS-based  Web  browsers.  The 
infrastructure  software,  which  is  assumed  to  serve  as  an  independent  foundation  for 
application  software,  can  include  proprietary  or  OSS  components  like  database 
management  systems  (or  network  file  systems  or  other  online  repositories)  and  computer 
operating  systems.  Figure  6  displays  the  selection  of  one  set  of  conforming  software 
components  selected  from  the  software  ecosystem  in  Figure  4  that  also  conforms  to  the  OA 
system  design  in  Figure  5. 
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Figure  5,  A  Simple  OA  System  Design  That  Accommodates  Software  Components  as 
Applications  or  Infrastructure  Elements,  Shown  in  Figure  4 
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Figure  6.  A  Selection  of  Software  Components  From  the  Ecosystem  in  Figure  4 

Conforming  to  the  OA  System  Design  in  Figure  5 

Lightweight  software  widgets  are  developed  using  domain-specific  scripting 
languages,  like  JavaScript  or  PHP,  which  are  designed  to  operate  with  popular  Web 
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browsers  or  browser-based  integrated  system  environments.  These  widgets  commonly 
represent  small  programs  that  are  often  produced  with  limited  resources  on  short  time 
frames  and  sometimes  constitute  only  hundreds  of  lines  of  scripting  source  code.  More 
complex  integrated  capabilities  can  be  constructed  by  integrating  a  set  of  selected  widgets 
using  additional  scripting  code  via  integration  techniques  that  produce  inter-application 
“mashups.”  Consequently,  there  is  substantial  competition  in  the  widget/app  marketplace. 
However,  these  lightweight  software  components  often  have  short-term  life  cycles,  and  few 
updates  before  their  demise. 

At  present,  lightweight  software  components  tend  not  to  be  sustained  for  periods 
beyond  their  early  availability,  widespread  adoption,  and  deployment.  Their  life  cycle  may  be 
measured  in  months,  rather  than  years  (or  decades).  Consequently,  these  lightweight 
components  are  effectively  designed  to  be  disposable,  low-cost  software — acquire  it,  then 
use  it  until  something  better  is  available,  then  repeat.  This  means  that  it  may  be  easier  for 
producers  of  such  components  to  develop  new  components  with  new(er)  capabilities, 
technologies,  or  remote  services,  rather  than  trying  to  sustain  the  short-lived  legacy  code.  In 
this  regard,  producing  new  components  may  be  less  costly  than  maintaining  legacy 
components  that  depend  on  technologies  or  services  that  may  no  longer  be  available  or 
viable.  Lightweight  software  components  with  short  life  cycles  in  this  regard  may  improve 
competition,  overall  system  adaptability,  and  affordability  while  reducing  vendor  lock-in  to 
costly  legacy  software.  Updated  versions  of  such  components  may  be  provided  to  repair  or 
replace  problematic  implementations,  but  they  may  also  appear  simply  as  an  inducement  to 
maintain  use  of  the  component  until  an  extended  (e.g.,  “pro”)  version  becomes  available  for 
acquisition.  Finally,  the  globally  dominant  online  app  stores  like  those  operated  by  Apple, 
Blackberry,  Google,  Microsoft,  and  others  tend  to  primarily/exclusively  distribute  small, 
lightweight  software  components  as  proprietary  closed  source  executables  on  a  per-user 
basis,  and  with  IP  licenses  that  prohibit  open  access,  reuse,  modification,  and  redistribution. 
But  these  choices  are  determined  by  the  business  models  of  the  online  repository/store 
operators,  rather  than  on  some  critical  technological  dependency  or  constraint.  So  new 
software  products  like  lightweight  components  from  online  repositories/stores  will  likely 
require  more  agile  acquisition  processes,  contracting  practices,  and  replacement/upgrade 
and  IP  license  management  regimes. 

In  contrast,  the  Web  browsers  in  which  these  widgets  run  are  themselves  substantial 
multi-million  source  lines  of  code  software  components  that  are  often  integrated  into  larger 
software-intensive  defense  systems,  like  the  C2RPC  experimentation  platform  (Garcia, 

2010;  Gizzi,  201 1 ).  These  browsers  and  other  integrated  software  packages  are  tested  and 
deployed  on  global  scales,  which  in  turn  helps  to  insure  their  viability,  sustainability,  and 
quality  within  a  highly  competitive  software  product  ecosystem.  Their  availability  as  either 
proprietary  or  OSS  forms  indicates  that  there  is  active,  ongoing  competition  among  their 
producers.  In  addition,  these  OSS  browsers  and  other  integrated  software  packages  based 
on  open  standards  (e.g.,  OpenOffice,  LibreOffice)  mean  that  commonly  used,  large-scale 
software  applications  and  software  infrastructure  systems  are  available  with  IP  licenses  that 
offer  lower  acquisition  costs  and  improved  competition,  as  well  as  improved  defense 
affordability  options. 

OSS  components  found  at  SourceForge.net  or  Forge.mil  are  typically  somewhere  in 
between  in  size,  complexity,  and  functional  capability  of  lightweight  widgets  and  large 
integrated  software  packages.  However,  there  is  no  requirement  imposed  in  OSS 
repositories  about  what  size,  complexity,  or  capability  components  can  be  made  available. 
So  many  OSS  components  range  in  size  from  thousands  to  hundreds  of  thousands  of 
source  lines  of  code,  and  they  vary  in  terms  of  their  quality  and  sustainability.  OSS 
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components  from  online  repositories  like  SourceForge.net  are  generally  available  for  free  or 
for  a  low  cost  and  may  or  may  not  be  designed  around  open  standards.  Many  OSS-based 
applications  do  not  rely  on  any  standards,  while  much  OSS-based  infrastructure  software 
relies  on  either  open  industry  standards  or  de  facto  standards  grounded  in 
proprietary/legacy  systems  (sometimes  referred  to  as  “workalike”  or  functionally  similar 
[Scacchi  &  Alspaugh,  2012b]  systems).  In  contrast,  the  DoD  is  seeking  to  make  sure  that  its 
online  OSS  repositories  like  Forge.mil  (or  others)  will  only  host  components  that  are  pre¬ 
tested  and  certified  as  compliant  with  relevant  standards,  quality/reliability  indicators,  and 
security  policies  relevant  to  their  problem  domain  (DISA,  2012;  Kenyon,  2012;  Reed  et  al., 
2012], 

Software  components  and  online  component  repositories/stores  offer  the  potential  to 
transform  the  ways  and  means  for  acquiring  and  developing  component-based  OA  systems. 
But  at  present,  the  size,  functional  complexity,  quality,  extensibility,  and  sustainability  of 
different  software  components  vary  in  part  based  on  the  repository/store  from  which  they  are 
acquired.  Although  components  that  can  be  integrated  within  a  secure  OA  system  offer  the 
potential  to  increase  competition,  the  acquisition  processes  need  to  be  updated  and  the 
acquisition  workforce  newly  trained  in  these  new  ways  and  means  in  order  to  maximize  the 
likelihood  for  BBP  initiatives  addressing  OA  systems. 

How  Best  to  Improve  and  Streamline  Acquisition  Processes  for  Secure  Open 
Architecture  Systems 

The  transition  to  the  development,  deployment,  and  sustainment  of  software¬ 
intensive  systems  based  on  an  OA  means  that  new  or  revised  acquisition  processes  may  be 
needed.  In  particular,  we  believe  that  such  advances  call  for  (a)  the  adoption  of  open 
business  models  within  the  DoD  and  its  industry  partners,  (b)  open  source  approaches  to 
creating  Web-based  acquisition  processes  (Scacchi,  2001)  that  specifically  address  BBP 
initiatives,  and  (c)  employing  techniques  for  streamlining  these  processes  (Choi  &  Scacchi, 
2001;  Nissen,  1998;  Scacchi  &  Noll,  1997;  Scacchi,  2001)  for  secure  OA  systems.  Each  is 
described  in  turn  in  this  section. 

Encouraging  the  Adoption  of  Open  (Source)  Business  Models 

One  goal  of  BBP  initiatives  is  to  reduce  costs  by  improving  competition.  Such  a 
situation  may  be  disconcerting  to  legacy  software  producers  who  are  long  experienced  with 
the  long-term  development  of  proprietary,  large-scale  software  systems  with  closed 
architectures  that  are  subject  to  traditional,  cumbersome,  and  costly  software  product 
licenses  and  license  management  regimes  (Anderson,  2012;  Konary,  2009).  A  move 
towards  the  agile  and  adaptive  development  of  secure  OA  systems  based  on  software 
components — that  can  be  developed/integrated  more  rapidly  and  at  a  lower  cost  with  more 
favorable  IP  licenses — represents  a  new  acquisition  strategy  (Reed  et  al.,  2012;  Scacchi  & 
Alspaugh,  2013b).  This  suggests  the  need  to  incentivize  software  producers  and  system 
integrators  so  as  to  insure  their  ability  to  effectively  produce  both  proprietary  and  OSS 
components  that  are  economically  viable  yet  cost  effective  to  the  government  over  the  life  of 
such  systems.  The  overall  BBP  mandate  recognizes  this  situation  but  does  not  specify  the 
means  for  how  best  to  accomplish  it.  We  believe  that  one  promising  candidate  is  for  defense 
enterprises  and  program  offices  to  adopt  new  open  business  models. 

The  business  models  that  we  have  in  mind  should  be  rendered  in  an  open  source 
format.  Such  models  should  be  computer  processable  (i.e.,  amenable  to  automated 
enactment  support)  and  transparent  to  participants  in  the  acquisition  workforce  (e.g., 
available  through  Web-based  application  systems  [Scacchi,  2001;  Scacchi  &  Noll,  1997]). 
They  should  similarly  be  open  to  participants  in  software  producer,  system  integrator,  and 
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system  user  enterprises.  These  models  should  incorporate  a  product  line  of 
common/reusable  open  system  architectures  that  can  integrate  functionally  similar  software 
components  in  order  to  realize  domain-specific  system  solutions  (e.g.,  for  domains  like  C2, 
weapon  systems,  or  enterprise  computing;  Bergey  &  Jones,  2010;  Guertin  &  Clements, 

2010;  Jones  &  Bergey,  2011;  Reed  et  al.,  2012;  Scacchi  &  Alspaugh,  2012b;  Northrop  & 
Clements,  2007;  Womble  et  al.,  2011).  These  business  models  should  incorporate  Web- 
based  computational  models  of  acquisition  processes  (Nissen,  1998;  Scacchi,  2001; 

Scacchi  &  Noll,  1997)  that  manage  the  system  development  and  support  processes  that 
surround  the  OA  product  line  system  models.  Finally,  these  business  models  should 
highlight  which  acquisition  or  system  development  processes,  or  OA  system  features, 
require  attention  to  IP  licenses. 

Prior  research  has  demonstrated  that  significant  cost  reductions  and  process 
streamlining  are  possible  when  open  source  business  process  models  are  utilized  (Choi  & 
Scacchi,  2001;  Nissen,  1998;  Scacchi  &  Noll,  1997;  Scacchi,  2001).  These  kinds  of  models 
can  be  subjected  to  performance  measurements  across  multiple  acquisition  process 
enactments,  continuous  improvement,  and  process  redesign  by  the  acquisition  workforce 
(Scacchi,  2001).  Now  we  propose  to  enhance  and  extend  their  value  through  the 
incorporation  of  OA  system  models.  While  demonstrating  such  a  capability  is  beyond  the 
scope  of  this  study,  prior  research  results  suggest  the  plausibility  of  such  an  approach.  So 
future  acquisition  research  targeting  BBP  may  be  directed  to  the  creation  of  open  business 
models  that  can  be  openly  accessed,  reused,  modified,  and  redistributed  where  appropriate. 

Open  Source  Models  of  Acquisition  Processes 

As  noted,  prior  research  has  demonstrated  the  value  and  real  payoffs  of  Web-based 
computational  models  for  defense  acquisition  processes  (Choi  &  Scacchi,  2001;  Nissen, 
1998;  Scacchi  &  Noll,  1997;  Scacchi,  2001).  However,  many  technological  advances, 
organizational  transformations,  and  shifting  defense  priorities  have  occurred  since  these 
results  were  first  demonstrated  and  deployed  years  ago.  Our  own  studies  on  the  design  of 
secure  OA  system  product  lines  are  an  example  of  technological  advances  not  addressed  in 
our  earlier  process  models.  But  without  explicit,  open  source  process  models  that  can  be 
enacted  through  Web-based  user  interfaces  (i.e.,  Web  browsers  accessing  remote 
application  services  while  tracking  process  enactment  progress  and  performance 
parameters),  the  ability  to  realize  their  benefits  (like  process  streamlining  and  cost  reduction) 
is  elusive  and  difficult  to  manifest.  Among  the  reasons  for  why  this  is  so  includes  overcoming 
gaps  for  how  best  to  (a)  monitor  and  measure  acquisition  process  performance  without 
automated  enactment  support;  (b)  redesign  legacy  processes  to  better  accommodate 
technical  advances  and  to  remove  ineffective  bureaucratic  procedures,  or  that  transform 
acquisition  processes  in  ways  that  do  more  with  less  while  also  empowering  the  acquisition 
workforce;  (c)  design  new  acquisition  processes  like  those  for  acquiring  secure,  component- 
based  OA  software  systems  subject  to  multiple  IP  licenses;  and  (d)  accommodate  software 
IP  licenses  and  license  management  regimes  as  acquisition  process  cost  elements.  To 
better  understand  what  gaps  exist  in  these  four  areas,  we  now  describe  techniques  for 
streamlining  the  acquisition  processes  for  secure  OA  systems. 

Techniques  for  Streamlining  Acquisition  Processes  for  Secure  Open  Architecture 
Systems 

A  goal  of  this  paper  is  to  identify  ways  and  means  for  streamlining  acquisition 
processes  for  secure  OA  systems.  In  particular,  we  focus  on  four  kinds  of  techniques  that 
can  be  used  to  streamline  such  processes  in  ways  that  are  responsive  to  the  BBP  initiative 
for  open  system  architectures  subject  to  complex  IP  licenses.  These  techniques  are 
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illustrative  rather  than  exhaustive  since  other  kinds  of  techniques  in  other  areas  are  also 
expected  to  exist  and  be  available  for  practice  by  the  acquisition  workforce. 

Process  Measurement  and  Assessment 

The  most  direct  way  to  determine  the  efficiency  and  effectiveness  of  acquisition 
processes  is  by  measuring  their  structural  attributes.  Such  attributes  indicate  things  such  as 
(a)  the  length  of  the  longest  path  of  process  steps/actions  (process  length);  (b)  the  number 
of  distinct  process  paths  (process  width);  (c)  the  number  of  sub-process  levels  (process 
depth);  (d)  the  total  number  of  process  steps  (process  size);  and  (e)  the  process  size  divided 
by  process  length  (process  parallelism)  as  well  as  others  metrics  (Nissen,  1998).  But  without 
an  explicit  graph-based  model  of  acquisition  processes,  such  measurements  are  impractical 
or  implausible.  Nonetheless,  such  metrics  are  a  key  for  where  to  look  for  process 
improvement  or  process  redesign  opportunities.  One  might  also  recognize  that  some 
acquisition  processes  are  underspecified — for  example,  by  not  explicitly  accounting  for 
where  software  licenses  are  negotiated  or  license  trade-off  analysis  is  done.  Similarly, 
because  OA  systems  may  include  software  components  subject  to  different  licenses 
(Alspaugh  et  al.,  2010),  how  are  component-component  license  interactions  assessed  or 
analyzed,  if  at  all?  If  acquisition  processes  do  not  explicitly  account  for  new  acquisition  or 
license  management  activities  that  emerge  due  to  advances  in  OA  system  development, 
then  such  processes  are  underspecified,  which  means  their  costs  are  hidden  and  difficult  to 
control/minimize.  Thus,  if  the  goal  of  BBP  is  to  help  improve  the  affordability  of  OA  systems 
within  the  DoD,  then  we  need  to  be  able  to  systematically  model,  measure,  and  assess  our 
acquisition  processes  (Scacchi,  2001).  Similarly,  we  need  to  better  understand  how  to 
measure  and  assess  open  business  models  for  use  within  the  DoD  and  its  industry  partners 
to  incentivize  and  continuously  improve  competition  and  defense  affordability 

Process  Redesign  and  Evolution 

Once  we  have  the  ability  to  measure  and  assess  current/emerging  acquisition 
processes  for  secure  component-based  OA  systems,  we  can  then  begin  to  analyze  (or 
simulate)  them  in  ways  that  reveal  process  redesign  opportunities  and  transformation 
heuristics  (Choi  &  Scacchi,  2001;  Nissen,  1998;  Scacchi  &  Noll,  1997;  Scacchi,  2001). 
Among  the  acquisition  process  pathologies  we  seek  to  identify  are  those  where  measured 
processes  reveal  sub-processes  with  low  effectiveness  (indicating  high  levels  of  iterative 
rework),  low  efficiency  (indicating  slow  or  bureaucratically  cumbersome  process  steps  that 
add  marginal  value  to  process  completion),  and  problematic  sub-processes  (indicating 
underspecified  process  steps,  steps  that  generate  processing  delays  due  to  missing  and/or 
incorrect  acquisition  data,  or  inappropriate  automated  process  enactment  support).  For 
example,  current  processes  that  assume  the  long-term  acquisition  of  monolithic  software 
systems  with  proprietary  components  integrated  within  a  closed  architecture  are  likely  not 
well  suited  to  address  the  challenges  for  acquiring  secure  OA  systems  that  integrate 
software  components  from  different  online  repositories.  We  also  place  our  acquisition 
workforce  at  a  disadvantage  if  we  do  not  empower  them  with  the  ability  to  measure,  assess, 
and  adaptively  redesign  their  processes  as  technological  advances  like  component-based 
OA  systems  are  to  be  acquired.  New  software  component  technologies  and  software 
ecosystem  niches  (Scacchi  &  Alspaugh,  2012a)  are  also  emerging,  which  necessitate  new 
continuous  development  processes  and  new  license  management  practices  and  thus  the 
redesign/evolution  of  acquisition  processes  (Scacchi  &  Alspaugh,  2013a;  Scacci  et  al., 

2012).  These  examples  all  point  to  new  opportunities  to  redesign,  evolve,  or  otherwise 
transform  existing  acquisition  processes  to  better  fit  the  challenges  posed  by  the 
development,  deployment,  and  support  of  secure,  component-based  OA  systems.  Finally, 
we  can  empower  the  acquisition  workforce  to  realize  continuously  improved  acquisition 
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processes  if  we  can  provide  them  with  the  training  and  resources  for  modeling,  analyzing, 
and  redesigning  their  acquisition  processes  in  ways  that  utilize  Web-based  automated 
process  enactment  systems,  which  also  allow  them  to  try  out  and  walk  through  alternative 
process  redesigns  before  committing  to  their  use  in  daily  operations. 

Design  New  Acquisition  Processes 

Across  the  DoD  community,  there  are  many  variations  in  practice  for  how  to  specify 
and  model  the  architecture  of  a  software-intensive  system.  Some  practices  focus  attention 
primarily  on  identification  of  major  components  or  abstract  layers  while  minimizing  (or 
ignoring)  attention  to  interfaces  and  interconnections,  which  are  more  challenging  to  identify 
and  manage.  However,  the  BBP  initiative  for  OA  systems  points  to  the  need  for  managing 
explicit  interface  specifications  that  identify  and  reinforce  the  use  of  standard  interfaces 
(DAU,  2012).  Without  such  interface  and  interconnection  specifications,  it  is  not  possible  to 
determine  the  scope  or  potential  conflicts/matches  between  the  IP  licenses  (and  thus  TD 
rights)  for  the  overall  system  architecture.  In  contrast,  we  have  demonstrated  in  our  prior 
research  that  component-based  OA  systems  become  tractable  and  evolvable  from  IP 
license  management  and  security  perspectives  when  the  system  architecture  of 
components,  connectors,  and  interfaces  are  explicitly  modeled  (Alspaugh  et  al.,  2010; 
Scacchi  &  Alspaugh,  2011, 2012a,  2012b,  2013b).  The  use  of  standard  interfaces  further 
allows  for  simpler  renderings  of  OA  system  structure,  and  thus  simplifies  license  analysis. 
Further,  once  interfaces  and  interconnections  become  explicit,  software  component 
producers,  system  integrators,  and/or  system  consumers  can  determine/negotiate  which 
interfaces  should  be  standardized  in  order  to  improve  competition  and  affordability.  These 
standards  may  then  define  acceptable  data  types,  relationships  between  data  types,  data 
attribute  value  ranges,  and  exceptional  data  values  in  ways  that  are  open,  sharable,  and 
reusable  as  well  as  extensible  when  appropriate.  Such  improvements  become  possible  by 
enabling  an  agile,  adaptive  ecosystem  for  software  components  of  different  size  and 
capability  relative  to  OA  system  product  lines  for  different  application  domains  (Reed  et  al., 
2012;  Scacchi  &  Alspaugh,  2012a,  2013b).  Therefore,  another  important  technique  for 
streamlining  the  acquisition  of  secure,  component-based  OA  systems,  in  line  with  BBP 
initiatives,  is  to  provide  the  acquisition  workforce  with  the  resources  and  automated  support 
to  design  and  computationally  enact  new  acquisition  processes  (i.e.,  explicitly  modeled 
processes;  Choi  &  Scacchi,  2001;  Nissen,  1998;  Scacchi  &  Noll,  1997;  Scacchi,  2001), 
where  the  processes  are  open,  agile,  and  adaptive.  Such  modeled  processes  may  also  then 
be  shared,  reused,  continuously  improved,  and  redistributed  across  the  ecosystem  of 
defense  enterprises  and  program  offices. 

Cost  Management  as  a  Process  Design  Element 

Part  of  the  promise  of  the  move  to  OA  systems  stems  from  their  perceived  potential 
to  reduce  acquisition  life  cycle  costs,  improve  competition,  and  improve  defense  affordability 
(DAU,  2012).  But  where  and  how  are  the  associated  cost  factors  or  cost  drivers  for  OA 
systems  identified,  tracked,  and  managed?  After  all,  if  we  do  not  know  where  the  cost 
factors  are,  or  what  activities,  conditions,  or  events  drive  OA  system  acquisition  costs,  then 
we  cannot  effectively  control  such  costs  nor  make  well-informed  system  capability/cost 
trade-offs.  For  example,  people  who  manage  the  acquisition  of  large-scale  software  systems 
within  various  defense  enterprises  are  familiar  with  the  many  types  of  end-user  license 
agreements  for  proprietary,  closed  source  software  systems  (Anderson,  2012).  In  contrast, 
these  people  may  not  know  how  best  to  manage  the  acquisition  of  OA  systems  whose 
software  components  are  jointly  subject  to  different  OSS  or  proprietary  licenses. 

The  acquisition  workforce  have  also  learned  in  practice  that  software  IP  licenses  are 
subject  to  change  over  time.  However,  one  consequence  is  that  long-lived  or  widely  used 
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software  systems  become  more  costly  and  much  less  amenable  to  technology  substitution 
or  vendor  replacement,  thereby  reducing  competition  due  to  vendor  lock-in.  This  works 
against  defense  affordability.  In  contrast,  emerging  online  repositories  offer  different  kinds  of 
software  components  with  different  functional  capabilities  (described  earlier)  along  with 
different  IP  licenses  and  end-user  licenses  (e.g.,  low-cost,  per-user  licenses).  These 
repositories  of  software  components  represent  a  means  for  increased  competition  and 
affordability  but  are  subject  to  different  acquisition,  development,  or  integration  processes 
that  are  just  coming  to  light.  Accordingly,  we  believe  that  streamlining  the  acquisition 
process  for  secure,  component-based  OA  systems  requires  that  IP  license  cost  obligations 
(e.g.,  license  fees  for  end-user  agreements)  and  license  management  regimes  need  to  be 
incorporated  into  process  measurement  and  assessment,  process  redesign  and  evolution, 
and  the  design  of  new  acquisition  processes.  This  is  also  a  subject  for  further  acquisition 
research — but  one  offering  practical  near-term  consequences. 

Conclusions 

In  this  paper,  we  presented  our  current  results  from  an  ongoing  investigation  of  how 
best  to  acquire  secure  OA  software  systems.  These  systems  incorporate  SPL  practices  that 
include  closed  source  proprietary  software  and  OSS  components,  where  such  components 
and  overall  system  configurations  are  subject  to  different  security  requirements.  The 
combination  of  SPLs  and  OSS  components  within  secure  OA  systems  represents  a 
significant  opportunity  for  reducing  the  acquisition  costs  of  software-intensive  systems  by 
the  DoD  and  other  government  agencies.  Through  our  research  efforts,  we  seek  to  make 
the  acquisition  of  secure,  component-based  OA  systems  a  simpler,  more  transparent,  and 
more  tractable  process.  Such  a  process  must  be  easy  to  explicitly  model,  share,  reuse, 
adapt,  and  streamline  for  different  system  application  domains.  Our  goal  was  to  identify 
ways  and  means  for  how  to  realize  cost  reductions  and  improve  acquisition  workforce 
capabilities  in  ways  that  address  BBP  initiatives  associated  with  the  move  to  OA  systems 
and  licenses  (DAU,  2012). 

In  this  paper,  we  identified  different  ways  and  means  for  how  to  streamline  the 
acquisition  process  for  secure  OA  software  systems  through  a  focus  on  doing  more  with 
limited  resources.  Central  to  our  approach  was  our  effort  to  identify  and  characterize  new 
ways  and  means  for  acquisition  process  measurement  and  assessment,  process  redesign 
and  evolution,  the  design  of  new  acquisition  processes,  and  the  incorporation  of  cost  factors 
and  cost  drivers  as  an  element  in  new  acquisition  processes.  Along  the  way,  we  paid 
particular  attention  to  revealing  how  licensing  practices  for  emerging  online  software 
component  marketplaces  can  affect  cost  in  ways  that  either  hamper  or  better  the  buying 
power  of  acquisition  programs.  Consequently,  we  sought  to  identify  possible  next  steps  for 
new  acquisition  research  that  can  further  accelerate  efforts  to  improve  competition  and 
defense  affordability  as  well  as  empower  the  acquisition  workforce  going  forward,  in  ways 
aligned  with  BBP  initiatives. 
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